In-House Privacy Counsel in Tech, AMA Forum

[Anonymous User]

Hi all - I moved in-house in a privacy counsel role from a firm about a year ago to a pretty big, but not FAANGM, tech company. I've used TLS for info for years, so happy to pay it back by answering any Qs.

For background, before I took this job, I was a 5th/6th year in DC regulatory Big Law (focusing on privacy and another substantive area).

[CardozoLaw09]

Did you try to go in-house sooner than 5th/6th year?

[Anonymous User]

Do you have a sense of whether employment litigators can get roles in these types of companies, and if so, what types of qualifications they look for? Asking for a friend (really though)!

[Anonymous User]

Do you have a sense of whether employment litigators can get roles in these types of companies, and if so, what types of qualifications they look for? Asking for a friend (really though)!

[the lsat failure]

Thanks for doing this. I've been wondering, do technology transactions folks get enough exposure to privacy matters to move into a privacy counsel role? I'm sure there's a difference in M&A diligence TT and ECVC TT, but it'd be nice to hear from someone who's made the move. Seems like your previous role has direct overlap with a privacy-focused inhouse role, but TT seems to be in a weird middle ground between M&A, Commercial Counsel, and Privacy.

[Anonymous User]

Did you try to go in-house sooner than 5th/6th year?

I would say I was casually looking for about a year, including government jobs. I was actively looking for about 6 months.

[Anonymous User]

Do you have a sense of whether employment litigators can get roles in these types of companies, and if so, what types of qualifications they look for? Asking for a friend (really though)!

I don’t have a ton of insight into what the employment team looks for, but absolutely employment litigators can be competitive for employment counsel roles at tech companies. I would think the standard credentials would be big firm and/or in-house experience at a comparably sized company, but as I said I don’t have specific insight.

[Anonymous User]

Thanks for doing this. I've been wondering, do technology transactions folks get enough exposure to privacy matters to move into a privacy counsel role? I'm sure there's a difference in M&A diligence TT and ECVC TT, but it'd be nice to hear from someone who's made the move. Seems like your previous role has direct overlap with a privacy-focused inhouse role, but TT seems to be in a weird middle ground between M&A, Commercial Counsel, and Privacy.

TT should be a very natural fit for a generalist Product Counsel role, which I would guess the average person looking to go in house at a tech company would see as the most desirable first job out of a firm.

A few years ago I think you would see a ton of people going from TT to Privacy Counsel because there just weren’t many actual attorneys specializing in privacy. Now it’s probably slightly more difficult, but would still definitely be doable if you can sell your privacy experience and speak knowledgeably about privacy issues. If you’re coming from a firm, they will expect that you’ll need to learn a ton about how to operate within the company, but IME they’ll want you to have a strong grasp of the substantive issues.

If this is something you want to pursue, I’d look into getting CIPP/US certification (your firm might even pay for it). It’s a credential a lot of companies look for.

[Anonymous User]

Are there other regulatory practices from which tech companies hire? In other words, in what other substantive regulatory areas are there in-house positions at tech companies?

Did you have to relocate from DC?

[Anonymous User]

Are there other regulatory practices from which tech companies hire? In other words, in what other substantive regulatory areas are there in-house positions at tech companies?

Did you have to relocate from DC?

This is a question where the category of “Tech” probably confuses things more than helps—even though I introduced it! The answer will depend entirely on what business the company is in and whether it is heavily regulated. A financial services tech company like PayPal or Plaid will have financial regulatory attorneys, a healthcare tech company like Oscar will likely have healthcare regulatory, etc. Anecdotally, I would say there are the most regulatory tech jobs in privacy and consumer financial reg.

I did relocate for the job, though not totally clear whether they would have made me if I didn’t want to. Today, they would 100% be happy to have you work basically anywhere in the US.

[Anonymous User]

I work at a top tech company in a regulatory/policy legal role. I have the opportunity to work on some privacy files. I come from a government background and not Big law. I got lucky and was able to get in with less than 5 years of call experience. I was thinking of doing the CIPP and carving out a specialization in privacy (while still focusing on my policy and regulatory work). What are your thoughts on this? Are there any other courses or specializations you recommend?

[Anonymous User]

I work at a top tech company in a regulatory/policy legal role. I have the opportunity to work on some privacy files. I come from a government background and not Big law. I got lucky and was able to get in with less than 5 years of call experience. I was thinking of doing the CIPP and carving out a specialization in privacy (while still focusing on my policy and regulatory work). What are your thoughts on this? Are there any other courses or specializations you recommend?

CIPP certification is definitely well-respected. Probably 80-90% of privacy legal postings have CIPP certification as at least a preferred qualification. I don’t have it—though I will probably do it sooner or later—and I don’t know how much the actual lawyers who make final decisions care, but at minimum it shows you know the basics. (As an aside, having started very briefly to figure out how to study for the test, it honestly seems like a racket to me. Subject matter knowledge isn’t good enough. You have to basically know all the facts the way they are presented in their particular textbook. But it’s respected nonetheless.) No other courses particularly jump to mind.

On specialization, if you mean within privacy, AI/machine learning is an area where there is going to be a ton of action in the relatively near future (and already is starting to be in Europe). De-identification is something that is very important and also deceptively complicated. Also, just generally understanding GDPR well is something that can distinguish you from a lot of American lawyers. It is valuable both because big companies are all dealing with it all the time and because US policy making is always going to be responding in some way to GDPR. When I was at the firm, our UK/EU lawyers always handled GDPR questions, but now I’m expected to field lots of questions about it, which has been the steepest substantive learning curve.

[Anonymous User]

OP here. Thought I’d bump this post almost a year later. Hit me up with any questions.

[Anonymous User]

Are you still in DC or did you move?

What is your typical workday?

What do you actually do? Do you find that your regulatory work was necessary/relevant or just the expected background?

How hard would it be for a corporate associate to get a job like that?

[Anonymous User]

Are you still in DC or did you move?

I moved, but only because I wanted to. The job could easily be in DC. (And post-pandemic, it could be anywhere in the country.)

What is your typical workday?

— Usually a couple of meetings, sometimes with product counsel to talk through a new product/initiative their business teams are working on, sometimes with the lawyers on my team, and sometimes with others on more cross-functional projects.
— I’m usually working on one more projects that require a short memo or other written work product, so that’ll take part of my day including research, analysis etc.
— I’ll have a couple vendor privacy reviews and contract negotiations to weigh in on. (These are pretty tedious.)

Altogether I probably do like 4-5 true “billable” hours of work every day. I literally work 50-60% of what I did in Biglaw.

What do you actually do? Do you find that your regulatory work was necessary/relevant or just the expected background?

Kind of alluded to it above, but most of what I do is one way or another providing advice on what a product, engineering or other team needs to do to comply with privacy or security law (or to follow privacy principles more generally), or at least what the benefits and risks are of different approaches. My work from the firm is extremely relevant. Soft skills are helpful, but 80% of my value is just knowing the law and how other companies handle similar issues.

How hard would it be for a corporate associate to get a job like that?

Pretty hard, at least at our company. But certainly would be competitive for corp counsel and generalist product counsel roles.

[Definitely Not North]

Great thread. What is day-to-day/life like for your counterparts in corporate counsel and product counsel roles? Any insight on what career tracks look like for them?

[Anonymous User]

Great thread. What is day-to-day/life like for your counterparts in corporate counsel and product counsel roles? Any insight on what career tracks look like for them?

Thanks! I have very little insight about corporate counsel. I haven’t worked on a big deal yet (my boss seems to be trying to protect me from having to be on the restricted trading schedule, but I wouldn’t really care), and otherwise I pretty much never interact with them. But we do a lot of deals and explore even more, so I imagine diligence, strategy etc take up a lot of their time.

I have a lot better sense for P counsel, who I work with a ton. Their days seem to be very full of meetings, especially with the business and engineering teams they cover. As you’d expect, they need to be generalists, able to offer quick and actionable advice on lots and lots of things, and then also knowing when to loop in the specialist teams.

When there is a bigger initiative underway, they manage the process of getting product teams to explain what they want to do, and then getting all the various specialists to weigh in and approve. They’ll also take the lead in doing things like drafting or updating terms etc.

Even just in the 1.5 years I’ve been at the company, I’ve seen plenty of career progression for the P counsel, which mostly consists of becoming responsible for multiple products and managing a few p counsel beneath you. It helps that we’re growing a lot. This is also the internal path to becoming head of legal for a particular business unit.

[Anonymous User]

Thank you for a great AMA! I am a third-year privacy associate at a Cravath scale firm. I have been passively looking to go in-house (and possibly relocate near my family in the Southeast), and would love to get some insight about compensation for a privacy counsel position. How much of a pay cut did you have to take (if any) when making the transition, and how does the salary progression/career development look like?

[Anonymous User]

Thank you for a great AMA! I am a third-year privacy associate at a Cravath scale firm. I have been passively looking to go in-house (and possibly relocate near my family in the Southeast), and would love to get some insight about compensation for a privacy counsel position. How much of a pay cut did you have to take (if any) when making the transition, and how does the salary progression/career development look like?

I was a rising sixth year in BL, and my starting pay was ~$250k/yr all in, of which about 20% was equity. So headline, it was a pretty big pay cut, but the stock did amazingly during the pandemic, so it hasn’t been much, if any, of a cut so far. I got about a 10% raise after year 1 (including new equity). Honestly not too clear on what the pay increases will be going forward, but the company is growing fast enough that there’s plenty of room for promotion. Other than that, job prospects for other in-house roles seem very good. Top Biglaw firm + tech firm privacy counsel experience is something a lot of companies look for and isn’t yet that easy to find.

[Anonymous User]

What do your workstreams look like? And is litigation a natural segue into privacy counsel? Finally, have you seen anyone successfully make the switch after 1-2 years in big law?

[Anonymous User]

What do your workstreams look like? And is litigation a natural segue into privacy counsel? Finally, have you seen anyone successfully make the switch after 1-2 years in big law?

I covered the workstreams a bit above on the question about my typical day, but they generally fall in one of these categories:
(1) Product counseling - Advising business/engineering teams and product counsel on privacy compliance for new products/initiatives. Actual work can vary from issue spotting in a 30 minute meeting to big risk assessment and legal recommendation memos.
(2) Compliance projects - Privacy-driven projects to address a compliance gap (often resulting from a new requirement). Here, we’ll put together pretty detailed docs with analysis and recommendations, socialize with the relevant stakeholders, then work with a product manager who leads implementation.
(3) Vendor/partnership management. This includes privacy reviews of all new vendors with whom we share PII (usually very tedious), negotiations of privacy terms, and more product counseling style work about more significant vendor integrations or partnerships.
(4) Incident response. If there’s any kind of issue with data being stored in the wrong place, with the wrong kind of encryption etc, there are project managers who handle most of the fact finding, but we need to be intimately involved to ask the right questions for legal and determine whether we’ve met any notification threshold.

There are lots of privacy people reasonably high up in companies who started as litigators, but I think that mostly reflects an old reality. Until quite recently, the privacy niche was extremely narrow, and so it was very hard to find lawyers trained in it. That’s much less true now. There’s no issue with having some litigation in your background, but if you don’t have significant privacy experience already, we wouldn’t look very hard at your app.

1-2 years in Biglaw would be very junior to move. We’ve considered one or two people who were 3-4 years (and focusing on privacy), but decided they were too junior. (But if they had really nailed the interview they could have gotten the job.) Other tech companies with bigger legal departments (Google, Facebook) seem to post a fair amount for 3+ years experience, but 1-2 would be tough.

[Anonymous User]

Hey -- I'm a product counsel in tech.

Do you like privacy-focused roles? Privacy law seems like a pain in the ass to me -- take Schrems II. EU has essentially said that cloud companies in the US are now illegal -- but placed it on the customers of these companies to determine if that's true or not. It just seems to be there's a lot of time and money spent on privacy with little to no benefit to end-users. What's your take?

Also, how do you think your role is different from the product counsel role? Which is in higher demand right now? Which has a better future ahead?

[Anonymous User]

Hey -- I'm a product counsel in tech.

Do you like privacy-focused roles? Privacy law seems like a pain in the ass to me -- take Schrems II. EU has essentially said that cloud companies in the US are now illegal -- but placed it on the customers of these companies to determine if that's true or not. It just seems to be there's a lot of time and money spent on privacy with little to no benefit to end-users. What's your take?

I think data protection as a concept is important, but I agree that the current structure of privacy law—especially the ancillary parts of GDPR, such as rules about cross border transfers like you mention—places a huge emphasis on paper pushing without providing real benefits to people.

Broadly, I think privacy law is far too focused on transparency and individual rights and not nearly focused enough on substantively regulating practices we think are bad. Giving people “notice” and an opportunity to opt out that you share data with Facebook or data brokers or whoever doesn’t actually accomplish much. But there could be a lot of value, eg, in banning or severely limiting the sale of personal data to a company the individual never interacted with. The problem, of course, is that kind of approach would actually disrupt the business models of major companies, rather than just employing us lawyers.

Also, how do you think your role is different from the product counsel role? Which is in higher demand right now? Which has a better future ahead?

There’s definitely overlap in the day-to-day, but I do think they are fundamentally quite different. My impression is that the main qualities of a good product counsel are being generally very smart and having a decent grasp of a lot of different things; understanding the products they cover well; having good people skills, especially in managing non-lawyers and making them feel like they’re all in it together; and being able to manage a lot of moving pieces.

All of those skills help for privacy counsel, especially the people skills, but the main thing is you need to have a deep, substantive knowledge of the subject area. I like that aspect of the job. I’ve always liked jobs that are more “intellectual,” but more importantly I always want my value to be more about what I know than how hard I work or how diligent or detail-oriented I am — because frankly I really value my free time, and I have no interest in giving a shit about the kind of pointless details you have to care about in Biglaw.

Hard for me to say which is in more demand. Obviously there are a lot more product counsel roles out there, but the pool of qualified applicants is also higher. I bet it’s probably slightly easier to find a privacy counsel job at the moment if you have the right credentials, but that’s just a guess.

I couldn’t say about the future either. I don’t get the sense that the privacy field is getting oversaturated, but I’m also not sure the compliance regimes will continue to expand so fast. My guess is that having specific expertise in an area that isn’t going to stop being mandatory for companies is slightly better for job security, but a little worse for upward mobility.

[Anonymous User]

Well put! You seem like a great colleague and I wish you were on my team

-product counsel

[Anonymous User]

This is all very helpful, thank you! I’m a biglaw privacy attorney in a niche practice area (think GLBA/HIPAA/FINRA/COPPA/FCRA). Are these positions also in demand for in house counsel roles, or are most companies looking for more generalist privacy attorneys (like GDPR, CCPA, FTC, etc.)? How hard would it be to sell a niche privacy role for a more general privacy role? And when do you think the best time is to make the switch from biglaw to in house privacy counsel?